[SECURITY] [DSA 2421-1] moodle security update

ID DEBIAN:DSA-2421-1:367D5
Type debian
Reporter Debian
Modified 2012-02-29T20:22:34


Debian Security Advisory DSA-2421-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff February 29, 2012 http://www.debian.org/security/faq

Package : moodle Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-4308 CVE-2011-4584 CVE-2011-4585 CVE-2011-4586 CVE-2011-4587 CVE-2011-4588 CVE-2012-0792 CVE-2012-0793 CVE-2012-0794 CVE-2012-0795 CVE-2012-0796

Several security issues have been fixed in Moodle, a course management system for online learning:

CVE-2011-4308 / CVE-2012-0792

Rossiani Wijaya discovered an information leak in mod/forum/user.php


MNET authentication didn't prevent a user using "Login As" from jumping to a remove MNET SSO.


Darragh Enright discovered that the change password form was send in over plain HTTP even if httpslogin was set to "true".


David Michael Evans and German Sanchez Gances discovered CRLF injection/HTTP response splitting vulnerabilities in the Calendar module.


Stephen Mc Guiness discovered empty passwords could be entered in some circumstances.


Patrick McNeill that IP address restrictions could be bypassed in MNET.


Simon Coggins discovered that additional information could be injected into mail headers.


John Ehringer discovered that email adresses were insufficiently validated.


Rajesh Taneja discovered that cookie encryption used a fixed key.


Eloy Lafuente discovered that profile images were insufficiently protected. A new configuration option "forceloginforprofileimages" was introduced for that.

For the stable distribution (squeeze), this problem has been fixed in version 1.9.9.dfsg2-2.1+squeeze3.

For the unstable distribution (sid), this problem has been fixed in version 1.9.9.dfsg2-5.

We recommend that you upgrade your moodle packages.

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org